Fix threat detection AWF run missing --copilot-api-target and GHE domains on data residency#21527
Merged
Fix threat detection AWF run missing --copilot-api-target and GHE domains on data residency#21527
Conversation
…ains on data residency When engine.api-target is configured for GHE Cloud with data residency, propagate the APITarget from the main engine config to the detection engine config so the threat detection AWF invocation receives the same --copilot-api-target flag and GHE-specific domains in --allow-domains. Co-authored-by: lpcox <15877973+lpcox@users.noreply.github.com>
Copilot
AI
changed the title
[WIP] Fix threat detection AWF run missing flags and domains
Fix threat detection AWF run missing --copilot-api-target and GHE domains on data residency
Mar 18, 2026
Contributor
There was a problem hiding this comment.
Pull request overview
This PR ensures threat detection’s inline AWF execution inherits the main engine’s engine.api-target, so custom/GHE endpoints receive the same --copilot-api-target behavior as the primary agent run.
Changes:
- Propagate
EngineConfig.APITargetinto the threat detection engine execution configuration (with inheritance from the main engine config when unset). - Add unit + integration regression tests validating
--copilot-api-targetpropagation into threat detection AWF invocations. - Add a patch changeset describing the behavioral fix.
Reviewed changes
Copilot reviewed 4 out of 4 changed files in this pull request and generated 1 comment.
| File | Description |
|---|---|
| pkg/workflow/threat_detection.go | Copies/inherits APITarget into the threat detection engine config used for AWF execution. |
| pkg/workflow/threat_detection_test.go | Adds unit test coverage for APITarget propagation precedence/inheritance. |
| pkg/workflow/allowed_domains_sanitization_test.go | Adds integration regression test validating lockfile includes --copilot-api-target for both main + threat detection invocations. |
| .changeset/patch-threat-detection-ghe-api-target.md | Documents the patch-level behavior change. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
You can also share your feedback on Copilot code review. Take the survey.
pelikhan
approved these changes
Mar 18, 2026
Contributor
|
@lpcox we should add support for env vars in a future PR |
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
…api-target - Fix TestAPITargetDomainsInThreatDetectionStep to use api.contoso-aw.ghe.com (copilot-api. prefix does not trigger base-domain derivation in GetAPITargetDomains) - Add GetCopilotAPITarget() helper: resolves --copilot-api-target from engine.api-target (explicit) or GITHUB_COPILOT_BASE_URL in engine.env (fallback), mirroring the OPENAI_BASE_URL/ANTHROPIC_BASE_URL pattern for Codex/Claude - Update awf_helpers.go, copilot_engine_execution.go, and domains.go to use the helper - Add unit tests for GetCopilotAPITarget and engine execution step - Add integration test TestGitHubCopilotBaseURLInCompiledWorkflow - Update engines.md docs to document GITHUB_COPILOT_BASE_URL Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
…' into copilot/fix-threat-detection-run # Conflicts: # pkg/workflow/allowed_domains_sanitization_test.go
Contributor
Author
|
Just as a heads up, I was blocked by some firewall rules while working on your feedback. Expand below for details. Warning Firewall rules blocked me from connecting to one or more addresses (expand for details)I tried to connect to the following addresses, but was blocked by firewall rules:
If you need me to access, download, or install something from one of these locations, you can either:
|
Contributor
|
@lpcox I messed up this PR |
Collaborator
|
@pelikhan copilot is trying to figure out why ci failed |
… files (#21609) Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com> Co-authored-by: lpcox <15877973+lpcox@users.noreply.github.com>
* docs: add GH_HOST and RUNNER_TEMP to glossary (daily scan 2026-03-18) (#21553) * docs: update GHES CLI docs and add Copilot GHES troubleshooting guide (#21528) * Fix list height not updating on terminal resize (#21555) * fix(daily-workflow-updater): unblock PR creation by setting protected-files: allowed (#21554) * chore: bump MCP Gateway v0.1.15→v0.1.17 (#21552) * feat: custom Huh theme mapped from pkg/styles Dracula palette (#21557) * Add top-level `github-app` frontmatter as universal fallback for token minting (#21510) * feat: add GitHub App-only permissions support (#21511) * fix: fall back to existing remote tracking ref when incremental patch fetch fails (#21568) * Add weekly blog post writer agentic workflow (#21575) * ci: add timeout-minutes to all 25 jobs lacking explicit limits (#21601) * fix: add setupGlobals in generate_aw_info step to fix staged mode ReferenceError (#21602) * Disable lockdown mode for weekly blog post generator (#21598) * fix: replace git push with GraphQL signed commits to satisfy required_signatures rulesets (#21576) * docs: add weekly update blog post for 2026-03-18 (#21608) Covers v0.58.0 through v0.61.0 (7 releases this week), notable PRs, and auto-triage-issues as Agent of the Week. Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com> Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * Fix failing CI: merge main to include setupGlobals in generate_aw_info step and update golden files Co-authored-by: lpcox <15877973+lpcox@users.noreply.github.com> --------- Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: Copilot <198982749+Copilot@users.noreply.github.com> Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com> Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> Co-authored-by: lpcox <15877973+lpcox@users.noreply.github.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
On GHE Cloud with data residency, the main agent AWF invocation correctly receives
--copilot-api-targetand GHE-specific domains in--allow-domains, but the inline threat detection AWF invocation does not — causing it to fail with exit code 1 even when the agent itself succeeds.Root cause
In
buildDetectionEngineExecutionStep, thedetectionEngineConfigwas built by copying onlyID,Model,Version,Env,Config, andArgsfrom the engine config —APITargetwas silently dropped. The AWF builder usesAPITargetto emit both--copilot-api-targetand the derived GHE hostnames in--allow-domains, so both were absent from the detection run.Changes
pkg/workflow/threat_detection.go— copyAPITargetinto the detection engine config struct; add fallback to inherit from the main engine config when the threat-detection-specific engine config omits it (preserving override semantics when it's explicitly set)pkg/workflow/threat_detection_test.go— unit tests covering direct propagation, inheritance when detection config has noAPITarget, detection config taking precedence over the main config, and the no-APITargetbaselinepkg/workflow/allowed_domains_sanitization_test.go— integration test compiling a GHE workflow and asserting--copilot-api-targetappears in both AWF invocations and that every--allow-domainsline includes the expected GHE hostnamespkg/workflow/awf_helpers.go— addGetCopilotAPITarget()helper that resolves the Copilot API target fromengine.api-target(explicit, takes precedence) orGITHUB_COPILOT_BASE_URLinengine.env(fallback), mirroring theOPENAI_BASE_URL→--openai-api-targetandANTHROPIC_BASE_URL→--anthropic-api-targetpatterns used by Codex and Claudepkg/workflow/copilot_engine_execution.goandpkg/workflow/domains.go— useGetCopilotAPITarget()soGITHUB_COPILOT_BASE_URLis also reflected in--allow-domainsandGH_AW_ALLOWED_DOMAINSdocs/src/content/docs/reference/engines.md— documentGITHUB_COPILOT_BASE_URLalongsideOPENAI_BASE_URLandANTHROPIC_BASE_URLin the "Custom API Endpoints via Environment Variables" section🔒 GitHub Advanced Security automatically protects Copilot coding agent pull requests. You can protect all pull requests by enabling Advanced Security for your repositories. Learn more about Advanced Security.